Uber has agreed to pay a hefty $148 million settlement after concealing a data breach in 2016 containing 57 million users’ data. In hopes of preventing this from recurring, it’s time for Uber to reassess their risk management practices, and in turn regain the public’s trust as well.
Although this regulatory problem has resulted in a huge sum of money, this is not the greatest consequence Uber will face due to a risk management failure. The hit on Uber’s reputation is massive. The concept I call the see-through economy has let us witness Uber’s negligence on one issue after another. Consequently, consumers have not liked what they’ve seen and have begun to take their business elsewhere.
The company has reportedly lost 1 percent of the ground transportation market, and as much as 8 percent in San Francisco. Meanwhile, its ride-hailing rival Lyft, is on the rise. This is the first time that Uber has not just seen a decline in consumers, rather it has experienced a loss.
As customers continue to retract their business, the investors will begin to back out; therefore, the company will lose market value. This downward spiral will result in monumental consequences, both financially and reputationally, if a major change in risk management is not made.
Over the last few years, organizations have experienced 100% avoidable scandals. What has been the root cause? Failures in their risk management processes and systems. Uber is no different than Equifax orWells Fargo, who have all failed to identify the root cause of their risks, and continued to suffer the consequences.
While Uber has taken steps in the right direction with hiring new risk executives, I believe these mishaps will continue to occur time and time again until Uber implements an effective enterprise risk management program. Just as I foreshadowed Wells Fargo’s July 2017 data breach, I believe that these incidents will continue to occur unless Uber adopts a risk-based process for managing risks across departments and levels. Will the largest multi-state settlement for Uber be what drives them to make some real changes in their risk management practices?
Last year, I examined the missteps that Uber had taken and found that the company not only lacked healthy risk practices, but lacks senior leadership who value the importance of these practices. The stolen information included names, email addresses, and mobile numbers. While this incident may at first glance not seem as important as stolen credit card or social security numbers, there are huge consequences.
Companies such as Uber are required to alert government agencies when sensitive data breaches such as this occur. When news of a breach of this nature is swept under the rug, both individual users and the companies they work for are left in the dark.
How could outside companies suffer from Uber’s mistakes? As people are only human, too often employees reuse their personal emails and passwords at work. When this type of information is stolen it can lead to impersonation and future breaches. As a result, not only were 57 million users affected, but their companies have all been unknowingly exposed to risks as well.
While Uber may have been able to avoid the litigation penalties for this breach until now, they’re now faced with a huge fine and, a damaged reputation. An incident that could have been buried thirty years ago cannot remain hidden from the public eye in the see-through economy.
Considering the U.S. government has opened at least five criminal probes into the company since Uber’s founding in 2009, a long road lies ahead towards regaining the public’s trust. In Chief Legal Officer Tony West’s statement regarding the settlement, he noted that measures have been taken to improve safety and security. CEO Dara Khosrowshahi also requested that the CSO at the time of the breach submit his resignation, and hired a new Chief Privacy Officer and a Chief Trust and Security Officer.
While these steps are primarily reactive measures, I hope that Khosrowshahi will recognize that the root cause is weak risk management governance processes, and that more proactive steps need to be taken to move towards an effective risk management program to prevent more scandals in the future. Further, although today’s news is a failure in risk management in security and privacy, their failures in risk management have been happening in multiple business areas and share the same common root cause of a weak risk management program, process, and lack of an ERM system.
An ERM system could not only identify and fill gaps in their cybersecurity policies and procedures, but Uber’s new line of management would not have to worry about being in a position of negligence either. Enterprise risk management enables companies to act against risks that are 100% preventable. It is up to companies such as Uber to take responsibility.